The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2274

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This commit deals with different kernel and userspace layouts and nesting. Here
are three examples:
1. 64bit kernel and 64bit userspace running 32bit containers
2. 64bit kernel and 32bit userspace running 64bit containers
3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers
Two things to lookout for:
1. The compat arch that is detected might have already been present in the main
   context. So check that it actually hasn't been and only then add it.
2. The contexts don't need merging if the architectures are the same and also can't be.
With these changes I can run all crazy/weird combinations with proper seccomp
isolation.

Closes #654.

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366
Reported-by: Chirantan Ekbote <chiran...@chromium.org>
Reported-by: Sonny Rao <sonny...@chromium.org>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From b5ed021bbc47efe77732b38b5946116be94367e1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Fri, 13 Apr 2018 14:02:24 +0200
Subject: [PATCH] seccomp: handle arch inversion

This commit deals with different kernel and userspace layouts and nesting. Here
are three examples:
1. 64bit kernel and 64bit userspace running 32bit containers
2. 64bit kernel and 32bit userspace running 64bit containers
3. 64bit kernel and 64bit userspace running 32bit containers running 64bit 
containers
Two things to lookout for:
1. The compat arch that is detected might have already been present in the main
   context. So check that it actually hasn't been and only then add it.
2. The contexts don't need merging if the architectures are the same and also 
can't be.
With these changes I can run all crazy/weird combinations with proper seccomp
isolation.

Closes #654.

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366
Reported-by: Chirantan Ekbote <chiran...@chromium.org>
Reported-by: Sonny Rao <sonny...@chromium.org>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 src/lxc/seccomp.c | 48 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 310a742fc..5da31a563 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -370,17 +370,21 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
                WARN("Failed to turn on seccomp nop-skip, continuing");
        }
 #endif
-       ret = seccomp_arch_add(ctx, arch);
-       if (ret != 0) {
-               ERROR("Seccomp error %d (%s) adding arch: %d", ret,
-                     strerror(-ret), (int)n_arch);
-               seccomp_release(ctx);
-               return NULL;
-       }
-       if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
-               ERROR("Seccomp error removing native arch");
-               seccomp_release(ctx);
-               return NULL;
+
+       if (seccomp_arch_exist(ctx, arch) == -EEXIST) {
+               ret = seccomp_arch_add(ctx, arch);
+               if (ret != 0) {
+                       ERROR("Seccomp error %d (%s) adding arch: %d", ret,
+                                       strerror(-ret), (int)n_arch);
+                       seccomp_release(ctx);
+                       return NULL;
+               }
+
+               if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
+                       ERROR("Seccomp error removing native arch");
+                       seccomp_release(ctx);
+                       return NULL;
+               }
        }
 
        return ctx;
@@ -772,11 +776,23 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
        }
 
        if (compat_ctx[0]) {
-               INFO("Merging in the compat Seccomp ctx into the main one");
-               if (seccomp_merge(conf->seccomp_ctx, compat_ctx[0]) != 0 ||
-                       (compat_ctx[1] != NULL && 
seccomp_merge(conf->seccomp_ctx, compat_ctx[1]) != 0)) {
-                       ERROR("Error merging compat Seccomp contexts");
-                       goto bad;
+               INFO("Merging compat seccomp contexts into main context");
+               if (compat_arch[0] != native_arch && compat_arch[0] != 
seccomp_arch_native()) {
+                       ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[0]);
+                       if (ret < 0) {
+                               ERROR("Failed to merge first compat seccomp 
context into main context");
+                               goto bad;
+                       }
+                       TRACE("Merged first compat seccomp context into main 
context");
+               }
+
+               if (compat_arch[1] && compat_arch[1] != native_arch && 
compat_arch[1] != seccomp_arch_native()) {
+                       ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[1]);
+                       if (ret < 0) {
+                               ERROR("Failed to merge first compat seccomp 
context into main context");
+                               goto bad;
+                       }
+                       TRACE("Merged second compat seccomp context into main 
context");
                }
        }
 
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to